Message ID | 20220802074750.2581308-2-xiaoyao.li@intel.com |
---|---|
State | New |
Headers | show |
Series | TDX QEMU support | expand |
On Tue, Aug 02, 2022 at 03:47:11PM +0800, Xiaoyao Li wrote: > Pull in recent TDX updates, which are not backwards compatible. > > It's just to make this series runnable. It will be updated by script > > scripts/update-linux-headers.sh > > once TDX support is upstreamed in linux kernel. I saw a bunch of TDX support merged in 5.19: commit 3a755ebcc2557e22b895b8976257f682c653db1d Merge: 5b828263b180 c796f02162e4 Author: Linus Torvalds <torvalds@linux-foundation.org> Date: Mon May 23 17:51:12 2022 -0700 Merge tag 'x86_tdx_for_v5.19_rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull Intel TDX support from Borislav Petkov: "Intel Trust Domain Extensions (TDX) support. This is the Intel version of a confidential computing solution called Trust Domain Extensions (TDX). This series adds support to run the kernel as part of a TDX guest. It provides similar guest protections to AMD's SEV-SNP like guest memory and register state encryption, memory integrity protection and a lot more. Design-wise, it differs from AMD's solution considerably: it uses a software module which runs in a special CPU mode called (Secure Arbitration Mode) SEAM. As the name suggests, this module serves as sort of an arbiter which the confidential guest calls for services it needs during its lifetime. Just like AMD's SNP set, this series reworks and streamlines certain parts of x86 arch code so that this feature can be properly accomodated" Is that sufficient for this patch, or is there more pending out of tree that QEMU still depends on ? With regards, Daniel
On 8/2/2022 5:47 PM, Daniel P. Berrangé wrote: > On Tue, Aug 02, 2022 at 03:47:11PM +0800, Xiaoyao Li wrote: >> Pull in recent TDX updates, which are not backwards compatible. >> >> It's just to make this series runnable. It will be updated by script >> >> scripts/update-linux-headers.sh >> >> once TDX support is upstreamed in linux kernel. > > I saw a bunch of TDX support merged in 5.19: > > commit 3a755ebcc2557e22b895b8976257f682c653db1d > Merge: 5b828263b180 c796f02162e4 > Author: Linus Torvalds <torvalds@linux-foundation.org> > Date: Mon May 23 17:51:12 2022 -0700 > > Merge tag 'x86_tdx_for_v5.19_rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip > > Pull Intel TDX support from Borislav Petkov: > "Intel Trust Domain Extensions (TDX) support. > > This is the Intel version of a confidential computing solution called > Trust Domain Extensions (TDX). This series adds support to run the > kernel as part of a TDX guest. It provides similar guest protections > to AMD's SEV-SNP like guest memory and register state encryption, > memory integrity protection and a lot more. > > Design-wise, it differs from AMD's solution considerably: it uses a > software module which runs in a special CPU mode called (Secure > Arbitration Mode) SEAM. As the name suggests, this module serves as > sort of an arbiter which the confidential guest calls for services it > needs during its lifetime. > > Just like AMD's SNP set, this series reworks and streamlines certain > parts of x86 arch code so that this feature can be properly > accomodated" > > > Is that sufficient for this patch, or is there more pending out of > tree that QEMU still depends on ? That's TDX guest support, i.e., running Liunx as TDX guest OS. What QEMU needs is TDX KVM support and that hasn't been merged yet. > With regards, > Daniel
diff --git a/linux-headers/asm-x86/kvm.h b/linux-headers/asm-x86/kvm.h index bf6e96011dfe..a5433cc71f79 100644 --- a/linux-headers/asm-x86/kvm.h +++ b/linux-headers/asm-x86/kvm.h @@ -525,4 +525,99 @@ struct kvm_pmu_event_filter { #define KVM_VCPU_TSC_CTRL 0 /* control group for the timestamp counter (TSC) */ #define KVM_VCPU_TSC_OFFSET 0 /* attribute for the TSC offset */ +#define KVM_X86_DEFAULT_VM 0 +#define KVM_X86_TDX_VM 1 + +/* Trust Domain eXtension sub-ioctl() commands. */ +enum kvm_tdx_cmd_id { + KVM_TDX_CAPABILITIES = 0, + KVM_TDX_INIT_VM, + KVM_TDX_INIT_VCPU, + KVM_TDX_INIT_MEM_REGION, + KVM_TDX_FINALIZE_VM, + + KVM_TDX_CMD_NR_MAX, +}; + +struct kvm_tdx_cmd { + /* enum kvm_tdx_cmd_id */ + __u32 id; + /* flags for sub-commend. If sub-command doesn't use this, set zero. */ + __u32 flags; + /* + * data for each sub-command. An immediate or a pointer to the actual + * data in process virtual address. If sub-command doesn't use it, + * set zero. + */ + __u64 data; + /* + * Auxiliary error code. The sub-command may return TDX SEAMCALL + * status code in addition to -Exxx. + * Defined for consistency with struct kvm_sev_cmd. + */ + __u64 error; + /* Reserved: Defined for consistency with struct kvm_sev_cmd. */ + __u64 unused; +}; + +struct kvm_tdx_cpuid_config { + __u32 leaf; + __u32 sub_leaf; + __u32 eax; + __u32 ebx; + __u32 ecx; + __u32 edx; +}; + +struct kvm_tdx_capabilities { + __u64 attrs_fixed0; + __u64 attrs_fixed1; + __u64 xfam_fixed0; + __u64 xfam_fixed1; + + __u32 nr_cpuid_configs; + __u32 padding; + struct kvm_tdx_cpuid_config cpuid_configs[0]; +}; + +struct kvm_tdx_init_vm { + __u64 attributes; + __u32 max_vcpus; + __u32 padding; + __u64 mrconfigid[6]; /* sha384 digest */ + __u64 mrowner[6]; /* sha384 digest */ + __u64 mrownerconfig[6]; /* sha348 digest */ + union { + /* + * KVM_TDX_INIT_VM is called before vcpu creation, thus before + * KVM_SET_CPUID2. CPUID configurations needs to be passed. + * + * This configuration supersedes KVM_SET_CPUID{,2}. + * The user space VMM, e.g. qemu, should make them consistent + * with this values. + * sizeof(struct kvm_cpuid_entry2) * KVM_MAX_CPUID_ENTRIES(256) + * = 8KB. + */ + struct { + struct kvm_cpuid2 cpuid; + /* 8KB with KVM_MAX_CPUID_ENTRIES. */ + struct kvm_cpuid_entry2 entries[]; + }; + /* + * For future extensibility. + * The size(struct kvm_tdx_init_vm) = 16KB. + * This should be enough given sizeof(TD_PARAMS) = 1024 + */ + __u64 reserved[2028]; + }; +}; + +#define KVM_TDX_MEASURE_MEMORY_REGION (1UL << 0) + +struct kvm_tdx_init_mem_region { + __u64 source_addr; + __u64 gpa; + __u64 nr_pages; +}; + #endif /* _ASM_X86_KVM_H */ diff --git a/linux-headers/linux/kvm.h b/linux-headers/linux/kvm.h index f089349149a5..054cf89fa2d6 100644 --- a/linux-headers/linux/kvm.h +++ b/linux-headers/linux/kvm.h @@ -1151,6 +1151,8 @@ struct kvm_ppc_resize_hpt { /* #define KVM_CAP_VM_TSC_CONTROL 214 */ #define KVM_CAP_SYSTEM_EVENT_DATA 215 +#define KVM_CAP_VM_TYPES 216 + #ifdef KVM_CAP_IRQ_ROUTING struct kvm_irq_routing_irqchip {